Components installed with Event Management
- UpdatedAug 1, 2024
- 10 minutes to read
- Xanadu
- Event Management
Activating the Event Management (com.glideapp.itom.snac) plugin adds several roles, scheduled jobs, and tables.
Note: The Application Files table lists the components that are
installed with this application. For instructions on how to access this table, see Find components installed with an
application.
Roles installed with Event Management
Roles used by the Event Management application.
Event Management adds these roles.
| Role title [name] | Description | Contains roles |
|---|---|---|
| Event Management
Administrator [evt_mgmt_admin] |
Configures and sets up Event Management properties and rules. Note: Exercise caution with the evt_mgmt_admin role, as it can be elevated to the admin role. A user with the evt_mgmt_admin role has the ability to add and modify scripts that run on a global scope. Ensure
proper access control. With this role, the user can create and/or update the following scripts:
|
|
| Event Management
Operator [evt_mgmt_operator] |
In addition to the evt_mgmt_user permissions, can also activate operations on alerts such as acknowledge, close, open incident, and run remediations. | evt_mgmt_user |
| Event Management
User [evt_mgmt_user] |
Has read access to all Event Management features. Has the itil role to be able to manage incidents that are created from alerts. | itil |
| Event Management
Integrator [evt_mgmt_integration] |
Has create access to the Event [em_event] and Registered Nodes [em_registered_nodes] tables to integrate with external event sources. |
Scheduled jobs installed with Event Management
List of scheduled jobs that are provided with Event Management.
| Scheduled job | Description |
|---|---|
| Event Management — Connector execution job | Compares current time with time when active connector instances were last run and sets relevant connectors to execute. Runs every 10 seconds. |
| Event Management — Handle Impact Stuck Service | Releases stuck services and marks them as requiring rebuilding in the Impact
Changes table to rebuild the impact tree. Runs every 2 minutes, 31 seconds. |
| Event Management — Impact Calculator Trigger | Trigger the impact calculation. The Event Management dashboard and
impact tree are refreshed using the calculated figures. Runs every 6 seconds. |
| Event Management — Impact Topology Consumer | Consumes topology changes and marks the related services as ‘require rebuilding’
in the Impact Changes table to rebuild their impact trees. Runs every 19 seconds. |
| Event Management — Update stuck connectors | Release connector instances that are stuck. Runs every 2 minutes. |
| Event Management — Alert Priority Queue | Calculate alert
priority. Two Alert Priority Queue jobs are active and available and can be
run multi-thread. Runs every minute. |
| Event Management — Auto Close Alerts | Alerts that are idle longer than 7 days (default time period) are closed. Modify
the default using the evt_mgmt.alert_auto_close_interval property.
Runs every 10 minutes. |
| Event Management — Calculate Alert Priority Grouping | Runs and calculates the priority groups: urgent, high, moderate and low for the
alerts according to the highest and lowest priority score in the system. Runs every 30 minutes. |
| Event Management — Close Flapping Alerts | Close flapping alerts. Runs every 5 minutes. |
| Event Management — Close Threshold Alerts | Close threshold alerts. Runs every 2 minutes. |
| Event Management — Evaluate Alert Management Rules | Execute alert management rules. Runs every 11 seconds. |
| Event Management — Impact Tree Builder | Handles all services with changes from the em_impact_changes table and rebuilds
their impact trees. Runs every 11 seconds. |
| Event Management — Insert Health Monitor | Job to produce the ServiceNow Event Management
application services. Runs once every hour. |
| Event Management — Maintenance Calculator | Calculate the maintenance for CIs. Runs every minute. |
| Event Management — Node Count | Calculate license
usage. Runs once every hour. |
| Event Management — Process Events | Job that runs and processes each Ready event (apply event rule, mapping rule, and
create or update alert) Runs every 5 seconds. |
| Event Management — Process Metric Binding | Process metric binding. Runs every 5 seconds. |
| Event Management — Process Records in em_extra_data_json | Creates events for log analytics anomalies. Runs every 13 seconds. |
| Event Management — Queue Connector Processor | Bi-directional functionality. Processes all pending alerts in the Update Queue
and sends them to the MID Server. By default, this dequeue process is performed in
batches of 1,000 alerts. Runs every 30 seconds. |
| Event Management — Recalculate Impact for Groups | By default, this job is not active. Can be run on demand to correct the impact on
service groups. Runs on demand. |
| Event Management — Recover Stuck Events | Handle all events that are in queued state and switch back to Ready to handle
events from the beginning. Runs at system startup. |
| Event Management — Update Health Monitor | Update the ServiceNow Event Management
application services. Runs once every hour. |
| Event Management — Update SLA Configuration Result | Synchronizes the CIs that match the SLA configuration filter with the Event Management SLA
[em_ci_severity_task] table. Runs every 10 minutes. |
| Event Management — Update SLA Severity | Updates Event Management SLA
[em_ci_severity_task] table with the new severity. Runs once every hour. |
| Event Management — Convert IT Service | Run this property on demand to convert manual services to application
services. Runs every 30 minutes. |
| Event Management — Collect xmlstats | Collect event processing statistics. Runs once every minute. |
| Event Management — Impact Calculator for Alert Groups and SLA | Calculates the effect of alerts on alert group services. |
| 4x Event Management — Impact Calculator for Services | Calculates the impact of alerts on application services, and builds the impact tree on the Event Management dashboard. Four separate jobs run to ease the load on the system. |
| Event Management — Backfill Alert History table | Locates redundant records in the em_alert_history table and cancels them. |
| Event Management — Backfill Impact Status table | Locates redundant records in the em_impact_status table and cancels them. |
| Event Management — Impact for Groups | Calculates the impact of alerts on service groups. |
| Event Management — Clean Alert History Table | Cleans the Alert History (em_alert_history) table by removing records more than
90 days old. You can customize the amount of time after which alerts are removed by configuring evt_mgmt.impact_calculation.cleanup_age_seconds.em_alert_history in the sys_properties.list table. |
| Event Management — Clean Impact Status Table | Cleans the Impact Status (em_impact_status) table by removing records more than
90 days old. You can customize the amount of time after which alerts are removed by configuring evt_mgmt.impact_calculation.cleanup_age_seconds.em_impact_status in the sys_properties.list table. |
Event Management adds the following scheduled jobs to support alert aggregation and RCA.
| Name | Description |
|---|---|
| Service Analytics Purge Old Observation Data — Daily | Cleans the staging data. |
| Service Analytics Prepare RCA Learner Input Data -— Daily | Prepares RCA input data. Stores and probes MID Server to learn statistical information about alerts. |
| Service Analytics group alerts using RCA/Alert Aggregation | Applies RCA and alert aggregation to open alerts and prepares automated alert groups. |
| Service Analytics Alert Aggregation Learner — Daily | Learns information about existing alerts and groups new open alerts. |
| Service Analytics RCA Configuration | Configures root cause analysis. |
| Service Analytics Check File System Space on Analytics MID -Daily | Checks disk usage on the dedicated MID Server, and generates an event if it exceeds the threshold set in the sa_analytics.rca.mid_max_allowed_space property. |
| Service Analytics Gather Value Report Data — Daily | Gathers data for the Value Report. |
| Service Analytics — Update virtual alerts for aggregation groups | Update the virtual alerts that were created to represent alert aggregation groups, with any changes to alerts belonging to that group. Runs every minute. |
| Service Analytics Attribute Populator for Historical Alerts | Populate attributes used in feature identifier for historical alert data using event rules. Runs on demand. |
Properties for personalizing domain separation for Event Management connectors
Properties provide the metadata to identify the domain.
You can change the values if you want to use any other table or fields for domain identification but make sure that the table is domain separated.
Note: When personalizing domain separation for event management connectors, all the properties can be overridden at the connector level as well.
There are three caches maintained for personalizing domain separation (main, user_access, missing_domain). You can create a few system properties to control them.
| Property | Description |
|---|---|
| evt_mgmt. connector_domain_info_table_name | The table where you store domain information for personalizing domain separation.
|
| evt_mgmt. connector_domain_info_column_name | The field name in the table to identify the provided domain for personalizing domain separation.
|
| evt_mgmt. connector_domain_id_column_name | The field to get domain ID from for personalizing domain separation.
|
| evt_mgmt. connector_domain_path_column_name | The field to get the domain path from for personalizing domain separation.
|
| Property | Description |
| evt_mgmt.connector_custom_domain_sep_cache_expire_in_seconds | For personalizing domain separation, if you don’t want your main cache to expire every week. |
| evt_mgmt.connector_custom_domain_sep_user_access_on_domain_cache_size | For personalizing domain separation, if you want to increase the size of the user access cache. |
| evt_mgmt.connector_custom_domain_sep_missing_domain_cache_expire_in_seconds | For personalizing domain separation, if you want to increase the expire time for cache storing information regarding the missing domain. |
| evt_mgmt.connector_custom_domain_sep_cache_size | For personalizing domain separation, if you need more main cache size for storing domain information. |
Tables installed with Event Management
Tables that are provided when Event Management is activated.
Event Management
adds these tables.
| Table | Description |
|---|---|
| Alert [em_alert] |
Alerts that Event Management manage. |
| Alert Correlation Rule [em_alert_correlation_rule] | Rules specifying primary and secondary correlated alerts. |
| Alert Aggregation Group Alerts [em_agg_group_alert] |
Stores alerts associated with aggregated alert groups. |
| Alert Aggregation Group [em_agg_group] |
Relationships between aggregated groups and primary alerts. |
| Alerts History [em_alert_history] |
History of alerts. Used for impact calculation. |
| Alert Rule [em_alert_rule] |
Mappings of alert fields to the Incident [incident] table. |
| Alert Template [em_alert_template] |
Alert templates. This table extends the Template [sys_template] table. |
| Event Management SLA
[em_ci_severity_task] |
Event Management SLA tasks for CIs and services. |
| Connector Definition [em_connector_definition] |
Settings for gathering events from external event sources. |
| Connector Instance [em_connector_instance] |
Connection details for external event sources. |
| MID Server to Connector Instance [em_connector_instance_to_mid] |
Mappings of MID Servers to connector instances. |
| Event Management License Usage [em_unique_nodes] |
When events are received by ITOM Health, an entry is added or updated in this table based on the monitored target specified in the received message. The entry links to its corresponding CMDB CI. If none is found, the entry is assigned Type = Unknown. |
| Event [em_event] |
Events received by Event Management. |
| Event Filter [em_event_filter] |
Storage for defined event filters. |
| Event Match Rule [em_match_rule] |
Updated events for alert processing. Used by event rules. |
| Event Match Field [em_match_field] |
Mappings of event fields to alert fields. Simple mapping. Used by Event Rules. |
| Event Compose Field [em_compose_field] |
Mappings of event fields to alert fields. Composite mapping. Used by Event Rules. |
| Event Mapping Rule [em_mapping_rule] |
Updated event fields for alert processing. |
| Event Processing Statistics [em_event_stats] |
Statistics on Event Management performance. |
| Event Type [em_event_type] |
Event types. |
| Task Template [em_incident_template] |
Templates that define how to populate new tasks. For example, how fields of an incident that is being created from an alert, must be populated. This table extends the Template [sys_template] table. |
| Registered Nodes [em_registered_nodes] |
Registered nodes data. |
| Threshold Rule [em_threshold_rule] |
Alert threshold rules. |
| Binding Device Map [Em_binding_device_map] |
Event binding to network paths and storage paths. |
| Process to CI Type Mappings [Em_binding_process_map] |
Event binding to specific processes. |
| CI Remediation [em_ci_remediation] |
Remediation rule definitions. |
| Impact Graph [em_impact_graph] |
Impact tree of CIs containing CI hierarchy and impact rules to be used for impact calculation. |
| Impact Graph History [em_impact_graph_history] |
History of changes in impact tree. |
| Impact Rule Definitions [em_impact_rule_definition] |
Definition of rules used for impact calculation. |
| Impact Rule instance [em_impact_rule] |
Rules based on impact rule definitions. |
| Infrastructure Relations [em_impact_infra_rel_def] |
Child-parent pairs or CI types. CIs matching these definitions are added to impact trees. |
| Impact Maintenance CIs [em_impact_maint_ci] |
CIs that are in maintenance and therefore are excluded from impact calculation. |
| Impact Status [em_impact_status] |
Calculated status of CIs and services to be displayed in the dashboard and service maps for dynamic CI groups. |
| SLA Configuration [em_sla_configuration] |
SLA configuration records that identify the CIs that SLAs can run on. |
| Service Analytics Metric Type
Registration [sa_metric_registration] |
Source registration details for processing raw data. |
| Health monitor scripts [em_monitor_scripts] |
These scripts determine how to monitor or check, for example, when using the
Connectors Monitor script. You can create customized script to monitor a device or
an entity. The scripts provided with the base instance are:
|
| Monitoring configuration [em_monitor_conf] |
Use this table to configure what to monitor according to the scripts that are
listed. Configure how often to run each script. If a script has a threshold, it determines what alert severity to display. Threshold values are in units of minutes and specify the delay time. Navigate to Event Management > Settings > Self-Health configuration to see the list of Monitoring Configurations or to create a new one. Use this script to test Data Center Monitoring. The scripts provided with the base instance are:
|
| Monitoring Event Management Jobs [em_monitor_jobs_state] |
Monitor Event Management jobs by adding the relevant jobs to the
table. Note: The following jobs are not monitored by this table:
|
| Monitoring state [em_monitor_state] |
Use this table to set the threshold for each connector. When there is a value above the threshold, an alert is generated. |
| EM XMLStats Data [em_xmlstats_data] |
Self-health statistics and diagnostic details for Metric Intelligence and Event Management, which are used to produce the XMLStats page. |
Event Management adds the following tables to support alert aggregation and RCA.
| Table | Description |
|---|---|
| SA RCA Status [sa_rca_status] |
Information (such as IDs) for the latest messages that were sent to the ECC Queue for a service during RCA. |
| SA RCA Output [sa_rca_output ] |
RCA learner output data. |
| SA RCA Group [sa_rca_group] |
Automated alert groups for the RCA query. |
| SA Analytics Alert Staging [sa_analytics_alert ] |
Staging table for alerts used for analytics. |
| SA RCA Input [sa_rca_input] |
Input data for the RCA learner. |
| SA Analytics Status [sa_analytics_status] |
Last run information to be used for alert aggregation and RCA. |
| SA RCA Group Alert [sa_rca_group_alert ] |
Alerts associated with automated alert groups. |
| SA RCA Service Configuration Item
Association [sa_rca_svc_ci_assoc] |
Associations between CIs and services. |
| SA Alert Aggregation Learned Pattern [sa_agg_pattern] |
Learned patterns from alert aggregation. |
| SA Alert Aggregation Learned Pattern
Elements [sa_agg_pattern_element] |
CI/Metric Name pairs associated with learned patterns. |
| SA Alert Aggregation Query Group Patterns [sa_agg_group_pattern] |
Relationships between groups discovered in alert aggregation queries and patterns found in learning. |
| SA Alert Aggregation Query -- Staged (Recent)
Alerts [sa_agg_group_alert_staging] |
A staging table for alerts that have not yet been associated with any aggregated alert group. |
| SA Agg Pattern Attribute [sa_agg_pattern_attribute table] |
CI/alert attributes to be used for finding patterns for alert aggregation. |
| SA Alert Attribute Populator Status [sa_alert_attribute_populator_status table] |
State and statistics for attribute populator job. |
| SA Alert Aggregation Learned Pattern Elements Pair wise Mutual Information and
Joint Probability [sa_agg_pattern_element_pair] |
Pairwise probabilities for pattern elements. |
| EM Agg Group Prediction [em_agg_group_prediction] |
Alert predictions for alert groups. |